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© A smart card (10) which has a instruction pro- 
cessor (12) which is connected to a changeable 
memory (16) in which application programs are 
stored. The card is manufactured partially blank, or 
without an application program stored thereon, and 
an application program is then loaded into the 
changeable memory, i.e.. by downloading it from a 
mainframe computer. In this manner, the application 
program in a smart card may be changes by an 
authorized party. Further, a flag (22) indicates wheth- 
er a program has been loaded on a smart card. Also 
disclosed is a method of securing the program from 
tampering by unauthorized parties where, in re- 
sponse to certain instructions (such as a dump of 
the application program), key portions are erased 
prior to execution. Application programs are loaded 



onto the card through the use of a double timed 
reset, the first of which writes a predetermined se- 
quence on the card for a set time interval. The 
second reset before the end of the set time interval 
then indicates that a program load function is to 
occur and causes key selected portions of the mem- 
ory to be overwritten and erased to protect key data 
from the previous program from being maintained or 
used later. 
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SMART CARD HAVING EXTERNAL PROGRAMMING CAPABILITY AND METHOD OF MAKING SAME 



Background of the Invention 
Technical Field 

The present invention relates to improvements 
in portable cards carrying processors and memory 
thereon, of the type referred to in the industry as 
"smart cards" or "integrated circuit cards" or chip- 
cards". More particularly, the present invention re- 
lates to improvements in the manufacturing pro- 
cess for such cards and the resultant card, where- 
by the cards are manufactured at least partially 
"blank" or without application program loaded 
therein and later customized, or loaded with the 
appropriate application programs. 



Background Art 

Numerous disclosures of smart cards and sys- 
tems for using such cards are known in the prior 
art. These smart card are represented, by way of 
example by those described in U. S. Patents 
3.702.464 to Castrucci and 4,007,355 to Moreno. In 
such smart cards application programs are stored 
in read-only-storage within the card, fully and unal- 
terably fixed on the card at the time of initial 
manufacturing. Such read-only-storage is charac- 
terized by the limitation that the application pro- 
gram must be determined and loaded into the 
smart card upon its initial fabrication (during the 
manufacturing process). Once the program has 
been loaded, the slightest change in the program 
requires that at least the chip, if not the entire card 
must be scrapped. 

This technique of manufacturing smart cards 
with application programs fixed in unalterable read- 
only-storage also means that the entire application 
program development process must precede any 
smart card manufacturing. This leads to sequential 
development and manufacturing, meaning a rela- 
tively long period from conception of an application 
program for a smart card until it is available in a 
completed smart card. As a result, it is necessary 
to "bread-board" an application program in some- 
thing other than a smart card itself, and such 
bread-board may require yet another step in the 
development process, with an instrument or tool 
other than the final product. Further, the simulation 
of the application program may require addition 
software to allow the simulation, for example, of a 
terminal for communicating with the bread-boarded 
application program. 

A card having a fixed program and no capabil- 



ity to be changed has an advantageous effect tn 
avoiding certain other limitations and disadvan- 
tages, however. For example, if the program is 
changeable and fixed into a memory which is ini- 
5 tially in a variable state, it may be difficult to 
determine whether the memory includes an ap- 
plication program loaded in it. A second example of 
a limitation and disadvantage avoided by a card 
with a fixed and unchangeable program is that 
10 security against unauthorized access and modifica- 
tion to the data is not required in the card having 
fixed, unchangeable memory. 

Smart cards with application programs stored 
thereon which use rewritable memory for storing 
75 transaction information such as the number of fail- 
ures in identification attempts or an account bal- 
ance are known. These values require periodic 
updating and have been used to advantage in past 
systems. However, none of these systems allow 
20 the changing of the application program itself once 
fixed in the smart card. 

In a card having memory which is initially not 
loaded with any particular program, the memory 
may initially have a random pattern in it. This 
25 makes it difficult (if not impossible) to determine 
whether or not anything specific has been loaded 
into the memory such as a desired application 
program, or whether the random pattern from ini- 
tialization of memory by chance appears to be a 
30 portion of an application program loaded in it. 

Some smart cards presently existing are un- 
desirable in that they usually include multiple in- 
tegrated circuit elements which must be separately 
handled and assembled and interconnected. Ac- 
35 cordingly, the prior art smart cards are undesirable 
in having a fixed, unchangeable memory. Further, 
however, the mere provision of an alterable mem- 
ory for storing an application program only 
changes the concerns. Accordingly, the smart 
40 cards of the prior art have limitations and disadvan- 
tages and do not address the needs of the society 
who might use, issue and operate with smart cards. 



The present invention overcomes the limita- 
tions and disadvantages of the prior art smart card 
systems by providing an improved smart card and 
50 method of making it in which the card includes a 
variable or reloadable storage element for applica- 
tion programs. As manufactured, the card includes 
a bootstrap program which includes the necessary 
instructions for receiving and storing an application 
program. The application program, once loaded. 
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may be reloaded into the reloadable storage ele- 
ment. In this manner, the application program may 
be loaded after manufacture, and may be reloaded 
or changed as desired. 

In the preferred embodiment of the present 
invention, the loading of memory o. : the smart card 
wjth a program is accompanied by the loading of a 
flag indicating that the application program in fact 
has been loaded. Thereafter, one can merely test 
for the flag to determine if the smart card has had 
an application program loaded therein. This over- 
comes the limitation of the prior art memories in 
that ihe random data during initial manufacture 
makes it difficult to determine if an application 
program has been loaded in the card. 

The smart card of the present invention in- 
cludes a security feature to prevent unauthorized 
tampering with the program loaded therein. This 
feature, which can take various forms, prevents the 
reading of certain portions of memory to prevent 
hacking. In the preferred embodiment, this is ac- 
complished by erasing the first two pages of mem- 
ory prior tc executing a dump of the memory. In 
this way. the card remains free for reprogramming, 
but a hacker who wishes to determine what the 
initial program and any secret keys stored in the 
memory is thwarted by having the pages disappear 
(permanently) prior to reading in an attempt to read 
(hose pages. The card is thereafter worthless as a 
smart card until reloaded by a possessor of the 
total program. Otherwise, the accessing of that data 
might allow a person with dishonest intentions to 
modify the program slightly (to. for example, 
change his identity or to avoid logging of his trans- 
actions) to evade accountability designed into the 
system. 

The present smart card and method of making 
it has the advantage that hardware fabrication 
(namely the manufacture of cards without applica- 
tion programs loaded thereon) can be occurring 
while the software is being developed. Thus, the 
rather long development process of a smart card 
with an application program loaded thereon can be 
accomplished in a shorter time by allowing parallel 
development of the software. Further, the fact that 
the application program is reloadable or change- 
able upon desire means that the smart card manu- 
facturer will no longer be required to predict how 
many of a particular application program will be 
required. A large quantity of "blank" cards can be 
fabricated in advance, then loaded with the desired 
application program. 

The fact that the application program is devel- 
oped and loaded after manufacture has several 
other advantages. The issuer of a smart card (for 
example, a bank) no longer must divulge the de- 
tails of his security plan, floor limits for credit or 
other sensitive details to the manufacturer of the 



smart cards. AH of these features can be loaded by 
the bank itself into a blank smart card later. Fur- 
ther, ihe bank who has not included a feature in us 
cards, either through oversight or through changing 

5 market requirements, can simply modify the ap- 
plication program which it is loading and have a 
smart card with an improved application program. 

While in one embodiment of the present inven- 
tion, the smart card of the present invention may 

w be manufactured using integrated circuits of con- 
ventional design, an alternate embodiment of the 
present invention envisions ihe use of a single 
custom integrated circuit to be used, avoiding inter- 
connection between various integrated circuits as 

is well as the separate mountings necessary to the 
base of the credit card itself. While the use of 
conventional design integrated circuit allows low 
volumes of smart cards to be manufactured quickly 
and inexpensively, the savings in assembly occur 

20 by the use of a single integrated circuit. 

Other objects and advantages of the present 
invention will be apparent to those skilled in the art 
in view of the following description of the preferred 
embodiment, taken together with the appended 

25 claims and the accompanying drawings. 

Brief Description of the Drawings 

30 Figure 1 is a block diagram view of the 

smart card of the present invention. 

Figure 2 is a block diagram view of the 
method of loading a smart card with an application 
program on the smart card. 

35 

Best Mode of Carrying out the Invention 

Figure 1 depicts a smart card 10 which in- 

40 eludes an instruction processor 12, a read-only- 
store or memory 14 and changeable memory 16. 
Inputoutput (I/O) lines 18 are connected tc the 
instruction processor 12 for communication be- 
tween the card 10 and the external world (external 

45 communication). Communication lines 20 intercon- 
nect the instruction processor 12. the read-only- 
store 14 and the changeable memory 16 for inter- 
nal communication between portions of the card 
10. A portion of the changeable memory 16 has 

so been identified as a flag 22. 

The smart card 10 is, in its preferred embodi- 
ment, the size of a standard credit card and meets 
the recognized standards established by ISO for 
credit cards. Although it is not shown, it may in- 

55 elude a magnetic stripe, again of a type meeting 
the appropriate commercial standard for storing 
information for use in magnetic stripe communica- 
tion applications, all of which are well known. Other 
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indicia may be added to the card as desired in the 
way of security markings, issuer, customers' name 
and account number as may be desired by the 
particular application, so long as the essentia! func- 
tioning of the smart card is not impaired. 

The instruction processor 12 is a conventional 
microprocessor of a type which is well known and 
commercially available. For the present application, 
a Model 8051 from Intel is well suited, although 
other processors could also be used to advantage. 

The read-only-storage 14 is a fixed read-only- 
memory which includes a bootstrap program fixed 
therein at the time of manufacture. This bootstrap 
program includes the basic instruction repertoire 
and instructions for loading an application program 
into the alterable memory 16. Although any one of 
numerous read-only-storage devices could be used 
to advantage in the present design, a 8051 micro- 
processor from Intel includes a read-only-memory 
in it, obviating the need for a separate read-only- 
memory. 

The alterable memory 16 is used as a storage 
for the application program. In its preferred em- 
bodiment, this is an electrically erasable read-only- 
memory (EEPROM), although other non-volatile 
memories could be used to advantage. The 
j present invention uses a Model 9864A EEPROM 

made by American Micro-Devices, although similar 
devices could be used in its place. 

The alterable memory 16 contains the applica- 
tion program as well as other information which, 
although non-public, may be changeable, such as 
encryption keys or personal verification data. These 
application programs are those algorithms or other 
procedures which the smart card undertakes during 
its operation and v/hich could vary from one ap- 
plication for a smart card to the next application for 
a smart card. These application programs include 
techniques for communication between the smart 
card and the external world, for example, with an 
automatic teller machine for conducting a banking 
transaction. Other application programs might con- 
duct necessary security and identification pro- 
cesses, conduct the actual transaction desired, 
and.- or make a record on the smart card in the form 
of a log entry of the transaction. 

In the nature of security or identification ap- 
plication programs, there is a necessity for the 
smart card and the terminal to mutually conduct 
device authentication. That is, each must make 
sure that the other is a legitimate device, and not 
merely a decoy whose mission is to obtain in- 
formation leading to penetration of the overall sys- 
tem. In this regard, a system of challenges and 
passwords which avoids the disclosure of meaning- 
ful information to a decoy is disclosed in co-pend- 
ing patent application EP-861 14963.1 filed by Abra- 
ham, Double and Neckyfarow on November 18, 
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1985 and assigned to the assignee of the present 
invention. That patent is specifically incorporated 
by reference as disclosing one such application 
program which might be loaded into the alterable 
5 memory 16. In general, other application programs 
which had been fixed in smart cards having a fixed 
memory are also suitable for use in the smart 
cards of the present invention in which the applica- 
tion program is loadable after manufacture of the 
w card and reloadable if it is desired to change the 
application program. 

The application programs also could be used 
to conduct user identification. This differs from the 
device authentication discussed in the previous 
15 paragraph, and would generally be conducted fol- 
lowing such authentication. The purpose of such 
user identification is to insure that the person who 
is conducting the transaction or doing the other 
business using the smart card is identified. In the 
20 context of an automatic teller transaction such as 
banks presently use, this user authentication may 
be by way of entry of a personal identification 
number (PIN) into the automatic teller machine 
keyboard. The card then compares the entered 
25 number with a stored or calculated value to deter- 
mine if the user has entered a correct PIN number. 

Other forms of user identification could also be 
employed in application programs such as poten- 
tially more accurate and less deceivable forms of 
30 positive personal verification, such as fingerprint 
analysis or signature dynamics. Such improved 
forms of positive personal verification are presently 
known and could be implemented by suitable ap- 
plication programs. 
35 Of course, application programs for formatting 

data for communication with the outside world 
through the 1,0 lines 18 is also a necessary ap- 
plication program. The data must be presented in a 
format which the recipient device (such as the 
40 automatic teller machine previously mentioned) can 
recognize the data and use it. Other application 
programs would include the details of conducting 
the transaction or other business for which the 
smart card has been designed -the useful busi- 
es ness which is the whole reason for being of the 
smart card. Such could be a cash withdrawal at the 
automatic teller machine, use in funds transfer, or 
an electronic funds transfer device in a point of 
sale environment, where money from the consum- 
50 ers account is transferred to a merchant's account 
as a result of a consumer purchase, carried out at 
a machine in the merchant's store and coupled 
electronically to a bank or clearing house. Finally, 
since the smart card includes memory which is 
55 alterable and writable, a written record of the trans- 
action may be logged on the smart card itself via 
an application program -so the user can't forget 
the transaction and claim that a mistake had been 
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made. 

The I O Ones 18 connect the instruction proces- 
sor to the outside world. This outside world may be 
an automatic teller machine in which the card has 
been inserted, or other suitable device for commu- 
nication. In the typical smart card system existing 
today, these IO line 18 terminate in a plurality of 
electrical contacts arranged on the surface of the 
sman card in a circular pattern set forth in a 
recognized standard at predetermined locations 
and spacirgs. The terminal then has complemen- 
tary contacts arranged to physically contact the 10 
lines 18 to transmit data therebetween in accor- 
dance with a predetermined standard. Other forms 
of coupling (even non-contact coupling) could be 
used to advantage, so long as the card commu- 
nicates. Typically, this communication is serial 
communication in which data is transmitted se- 
quentially. 

For the initial loading of programs, the I O lines 
18 are coupled to receive the application program 
from a mainframe processor wherein the instruc- 
tions are downloaded sequentially and stored in 
series in the alterable memory 16 in the order in 
which they are received. Alternately, the instruc- 
tions may be downloaded from the other processor 
by specifying the address in the alterable memory 
in which each instruction is to be loaded. Either 
technique can be used, and depending on the 
amount of data and storage pattern, and whether 
the memory is being fully overwritten and replaced 
or only selectively overwritten, one technique may 
be desirable over the other technique. 

While the present embodiment has been de- 
scribed in terms of a command processor 12, a 
read-only-store 14 and an alterable memory 16 in 
one embodiment and using conventional, commer- 
cially available components, a design in which all 
components are on a single chip is commercially 
feasible. While this is expected to be the preferred 
embodiment chosen by many designers, it would 
involve a custom designed chip. While that is clear- 
ly within the skill of today's circuit designers, the 
use of multiple commercially available components 
is believed desirable in many instances. 

Figure 2 illustrates a method of downloading 
the application program for the present system of 
making a smart card with a reloadable or change- 
able application program. As shown in this figure, 
the card 10 is separate from the development of 
the application program which occurs in a main- 
frame processor 50. The application program is 
written, compiled (if necessary), debugged and 
tested in the mainframe processor 50. The applica- 
tion program 52 is created as a result. The applica- 
tion server program 54 then serves to load and 
verify that the application program 52 is loaded 
onto the smart card 10. 
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The card 10. which includes, as a part of its 
bootstrap program, the software necessary to ac- 
complish the functions described in this Figure 2. 
responds to a load signal (which is. in essence a 
s double reset as described below) on line 60. This 
signal on line 60 is handled first by a discriminator 
62 which differentiates between load instructions 
and execute instructions. The execute instructions 
proceed to block 64 (where they are executed) and 

:o load instructions proceed to block 66. At the block 
66. a load instruction ;s subject to secure storage 
supervision which guarantees that the secret pages 
have been previously erased and that the program 
remains in a load stare. From block 36. control then 

?5 proceeds to block 68 which is a status reporting 
function. When each step has been accomplished 
correctly and the card is ready for additional data, 
the status reporting function sends a signal to the 
application server program 54 on line 70. In re- 

20 sponse to that signal on line 70. the application 
server program 54 then sends an additional instruc- 
tion or portion of the application program on line 72 
to a command interpreter 74. All commands are 
passes with a length and "checksum" value to 

25 insure that data is not lost in transmission. The 
checksum calculation is a counting of the ones in 
the data being transmitted which, together with the 
length information, functions to insure that the in- 
formation passed has not changed during the pass- 

30 ing. The command interpreter 74 then proceeds to 
perform one of the functions illustrated by five 
boxes 74a, 74b. 74c. 74d. 74e. representing the 
functions of testing the page, initialize loading, 
loading data, verifying a page or end or loading, 

35 respectively, depending on the instruction from the 
application server program 54. The functicn or test- 
ing the page in the block 74a is a check of a 
particular page of data in the EEPROM memory 16 
by writing and reading data to each byte of data on 

40 the page, in essence a memory check. The func- 
tion of initialize loading in the block 74b sets the 
EEPROM type, the address for the first byte of 
data and the byte count before the next load initial- 
ization. The function of loading data in the block 

45 74c is the transfer of one byte of data from the 
application server program 54 to the alterable 
memory 16 of the card. The function of verifying a 
page in the block 74d is an internal generation of a 
checksum for the indicated page, which checksum 

50 is then passed to the application server program 54 
for verification that the entire page has been trans- 
ferred correctly. The step of end of loading in the 
block 74e sets a lockswitch bit in the card to inhibit 
further load commands (such further load com- 

55 mands being a possible indicating of tampering or 
improper adjustment of the program or its data. 
The double reset sequence of a load command as 
described below must then be followed to load any 
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further application program after the lockswitch has 
been set. 

The "Load" function on the card is invoked by 
a timed double reset sequence on reset line 60. In 
a newly created card, that is, a card manufactured 
without an application program stored thereon, it is 
impossible to predict the state of any bit in the 
application program storage 16 or the flag 22. It is 
therefore desirable in some instances to know 
whether an application program has been loaded 
onto the card, or whether this is a new card having 
no application program and therefore requiring one. 
This time double reset sequence accomplishes 
this, and resolve any uncertainty or ambiguity of 
whether an application program has been loaded. 

When the reset line 60 is activated, the instruc- 
tion processor 12 proceeds to a section of instruc- 
tions designed to prevent any ambiguity as to 
whether a program has been loaded. The first step 
in response to a load instruction is to test a pre- 
determined portion of the application program stor- 
age 16 for a predetermined sequence, if that se- 
quence is not found, the load instruction then 
writes that predetermined sequence in the pre- 
determined portion of the application program stor- 
age. A time is also set then to erase the predeter- 
mine sequence from the predetermined portion 
after a fixed time interval, if a program load is to 
occur, a second activation on the reset line 60 
must occur before the end of the fixed time interval 
after the writing of the predetermined sequence. 
Now the test for the predetermined sequence in 
the predetermined portion of the application pro- 
gram storage 16 is successful (because it had 
been just written there by the first reset and not yet 
erased). This presence of the sequence indicates 
that this is the second reset, or the signal that a 
program load is desired. As a result of the program 
load, a first result is that the predetermined se- 
quence in the predetermined portion of storage is 
erased. A second result is the overwriting of se- 
lected pages of memory, for example, pages 0 and 
1 of the application program storage. This over- 
writing effectively erases ail the sensitive informa- 
tion from a previous program, for example, encryp- 
tion keys or personal identification information that 
could be useful in defeating system security. 

Of course, the predetermined sequence which 
is written must be large enough to insure against 
accidentally having that sequence appear unless it 
has just been written as a result of a first reset. 
Otherwise, the double reset will not be effective as 
the indicator for program loading. That is, if the 
predetermined sequence may appear in the pre- 
determined portion without having been written 
there by a first reset, then a program load will be 
improperly attempted in response to the first reset 
signal. Further, if that predetermined sequence ap- 



pears other than through the reset function (which 
erases the sequence the fixed time interval later), 
then the predetermined sequence may not be 
erased. In short, the predetermined sequence must 
5 happen only through the first reset in order for this 
timed double reset to signify a program loading. 

Of course, many alternatives to the preferred 
mode of carrying out the present invention are 
apparent to those skilled in the art of smart card 
w design and manufacture, and furthermore, some 
features of the present invention may be used 
without the corresponding use of other features 
described in this description. For example, the use 
of flags to indicate the presence or absence of a 
is loaded application program is a convenience for 
those handling such cards; its absence may require 
more effort to determine whether an application 
program has been loaded, but the entire contents 
of the card could be compared to the possible 
20 application programs to determine whether a match 
exists, indicating that a program was loaded. 

While the description of the preferred embodi- 
ment indicates that the card includes an application 
program, more than one application program can 
25 be loaded into a card, limited only by the size of 
the programs relative relative to the memory avail- 
able. Thus, a single card could concurrently in- 
clude multiple application programs, selected by an 
external input. The described technique for loading 
30 an application program is desirable, although other 
techniques might be used to advantage. Further, 
those skilled in the relevant arts will know that 
certain features, such as the method of creating 
and downloading application programs, can be 
35 changed from that described in the foregoing de- 
scription of the preferred embodiment. 



Claims 

40 

1. A method for fabricating a portable card 
having a processor (12) and means (18) for com- 
municating with an external terminal device, the 
steps of the method comprising: 

45 mounting a memory, a processor and commu- 

nication means on a card, said memory being 
without an application program at the time of 
mounting; 

connecting the processor to the memory and 
so the communication means to fabricate a smart card 
without an application program; and 

after the smart card has been assembled and 
the processor, memory and communication means 
have been connected, loading an application pro- 
55 gram into the memory. 

2. The method of Claim 1 wherein the step of 
loading an application program further includes the 
step of coupling the card to an external processor 
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(50) and downloading an application program from 
the external processor to the memory of the smart 
card. 

3. The method of Claim 2 wherein at least 
portions of the application program are sequentially 
loaded through the instruction processor. 

4. The method of Claim 3 wherein the loading 
step includes responding to a reset signal by test- 
ing ihe memory for present information and loading 
the application program cnly if the preset informa- 
tion is present, writing preset information on the 
card for a fixed interval if the preset information is 
not present, then removing the preset information if 
a second reset signal has not been received before 
the end of the fixed interval, whereby an applica- 
tion program may be loaded into the alterable 
memory only in response to two reset signals 
being received within the fixed interval. 

5. The method of one of the Claims 1 - 4 
wherein the method further includes the step of 
erasing a portion of the memory of the smart card 
in response to an attempt to read out that portion 
of the memory. 

6. The method of one of the Claims 1 - 5 
wherein the method further includes the step of 
replacing an existing application program in a pro- 
grammed smart card with a second application 
program. 

7. A portable card (10) selectively coupled to 
an external device (50) for receiving and transmit- 
ting information therebetween, said card compris- 
ing: 

a base having approximately the dimension of 
a standard credit card and including contacts (18) 
for selectively coupling the card to the external 
device; 

a command processor (12) mounted to the 
base and electrically coupled to the contacts, said 
command processor including means for coupling 
the command processor to an external terminal 
device; and 

a non-volatile memory (14) coupled to the 
command processor including a changeable mem- 
ory (16) and data for loading an application pro- 
gram from ihe external terminal device into the 
changeable memory, whereby the portable card 
may be manufactured without an application pro- 
gram and the application program may be gen- 
erated externally of the smart card and loaded into 
the changeable memory after the card is manufac- 
tured. 

8. The card of Claim 7 card further including 
means (22) for indicating whether an application 
program has been loaded therein, said means in- 
cluding at least a first state when no application 
program has been loaded thereon and a second 
siate when an application program is present. 



9. The card of Claim 7 or 8 further including 
means fcr erasing a portion of the memory in 
response to an attempt to read a portion of the 
memcry externally, whereby an attempt to alter the 

5 application program may be prevented. 

10. The card of one of the Claims 7 - 9 wherein 
the command processor and the non-volatile mem- 
ory are included in a single integrated circuit car- 
ried on the base of the portable card. 

w 11. The card of one of the Claims 7 - 10 

wherein the command processor includes a mem- 
ory portion which receives and stores for a pre- 
determined time period a predetermined sequence 
when a first reset signal and means for loading an 

ts application in response to a second reset, with the 
reset testing for the predetermined sequence. 



20 



25 



30 



35 



40 



45 



50 



55 



0 275 510 




18 



APPLICATION 
DEVELOPMENT 



INSTRUCTION 
PROCESSOR 



12 




APPLICATION 
CODE 



APPLICATION 
SERVER 
PROG-RAM 



< 



STATUS 



"TO 



PROGRAM 
DOWNLOAD 



n 



READ ONLY 
STORAGE 



APPLICATION 
PROGRAM 
STORAGE 



FLAG- 



It 



22 



.10 



RESET 



•60 



LOAD / EXECUTE 
DISCRIMINATOR 



EXECUTE 



7,., 



SECURE STORAGE 
SUPERVISOR 



STATUS REPORTER 



SO 

MAINFRAME (rq) 



■ S-4 



<*8 



10 



COMMAND 
INTERPRETER 



7 



7* 



74d~ 



TEST PAGE 


— ^» 




t N IT. LOAD 




LOAD DATA 




VERIFY PAGE 


— 


END LOAD 



BNSDOCID: l&M-JxG&oQB&jQl 4 



9 



© Publication number: 0 275 510 

A3 



© EUROPEAN PATENT APPLICATION 



© Application number: 87118815.7 © Int. CI. 4 : G07F 7/10 

© Date of filing: 1&12.87 



® Priority: 20.01.87 US 4501 


© Applicant: International Business Machines 


@ Date of publication of application: 


Corporation 


Old Orchard Road 


27.07.88 Bulletin 88/30 


Armonk, N.Y. 10504(US) 


© Designated Contracting States: 


© Inventor: Abraham, Dennis George 


DE FR GB IT 


5795 Gettysburg Dr. 




Cnnrnrii IMP 9fln9*WI IQ\ 


® Date of deferred publication of the search report: 


Inventor: Double, Glen Paul 


05.04.89 Bulletin 89/14 


8834 High Ridge Lane 




Concord, NC 28025(US) 




Inventor: Neckyfarow, Steven William 




2609 Lawton Bluff Rd. 




Matthews, NC 28105(US) 




Inventor: Rohland, William Stanley 




4234 Rotunda Rd. 




Charlotte, NC 28226(US) 




Inventor: Tung, Min-Hsiung George 




10309 Ben Franklin Ct. 




Matthews, NC 28105(US) 




© Representative: Barth, Carl Otto et al 




IBM Deutschland GmbH Patentwesen und 




Urheberrecht Schonaicher Strasse 220 




D-7030 Boblingen(DE) 



© Smart card having external programming capability and method of making same. 



t 

Europaisches Patentamt 

© QjH Eur °P ean Patent Office 

ZSSr Office europeen des brevets 



© A smart card (10) which has a instruction pro- 
cessor (12) which is connected to a changeable 
(vj memory (16) in which application programs are 
^stored. The card is manufactured partially blank, or 
q without an application program stored thereon, and 
f«an application program is then loaded into the 
Unchangeable memory, i.e., by downloading it from a 
IP mainframe computer. In this manner, the application 
f** program in a smart card may be changes by an 
CM authorized party. Further, a flag (22) indicates wheth- 
Qer a program has been loaded on a smart card. Also 
disclosed is a method of securing the program from 
^tampering by unauthorized parties where, in re- 
sponse to certain instructions (such as a dump of 
the application program), key portions are erased 



prior to execution. Application programs are loaded 
onto the card through the use of a double timed 
reset, the first of which writes a predetermined se- 
quence on the card for a set time interval. The 
second reset before the end of the set time interval 
then indicates that a program load function is to 
occur and causes key selected portions of the mem- 
ory to be overwritten and erased to protect key data 
from the previous program from being maintained or 
used later. 



Xerox Copy Centre 



BNSOOCtD: <EP 02755 10A3_I_> 



EP 0 275 510 A 




n 



READ ONLY 
STORAGE 



7 



7-4 



4 



APPUCATION 
PROGRAM 
STORAGE 



FLAG- 



— 22 



20 



4 



/5 



INSTRUCTION 
PROCESSOR 



4 



BNSDOCID: <EP 02755 10 A3 J_> 



1a 



X 



J» 



European Patent 
Office 



EUROPEAiN SEARCH REPORT 



Application Number 



EP 87 11 8815 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



US-A-4 613 937 (BATTY Jr.) 

* Abstract; figure 5; column 2; claims 
1-5 * 

WO-A-8 705 420 (DATA CARD CORP.) 

* Page 1, line 30 - page 4, line 12; 
page 10, line 25 - page 12, line 5; 
claims 1-11 * 



Relevant 
to claim 



l-n 



1-3,7- 
10 



CLASSIFICATION OF THE 
APPLICATION (Int. CI. 4) 



G 07 F 7/00 



TECHNICAL FIELDS 
SEARCHED (Int. C1.4) 



The present search report bas been drawn up for all claims 



G 07 
G 06 





Date of completion of the search 


Fvirmrwr 


THE HAGUE 


24-01-1989 


GUIVOL.,0. 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken alone 

Y : particularly relevant if combined with another 

document of the same category 
A : technological background 
O : non-written disclosure 
P : intermediate document 



T : theory or principle underlying the invention 
E : earlier patent document, but published on, or 

after the filing date 
D : document cited in the application 
L : document cited for other reasons 



& : member of the same patent family, corresponding 
document 



BNSOOCID: <EP 0275510A3_I_> 



THIS PAGE BLANK nmt) 



